Matrix Chat Server

In days where governments are checking out more and more services and demanding backdoors in messanger services it may be good to host his own messenger service.

I recently found this one and it seems to be quite easy to setup. All Information can also be found on the projects page

Git Hub Project:

Not all the DNS Entries are needed. For messenger only setup only the matrix, element and the _SRV one are needed. we will do them all.

needed Ports:

80tcpHTTP Webserver
443tcpHTTPs Webserver
8448tcpMatrix Federation

needed DNS Entries:

host must be set according to your DNS provider. some only need <entry> others want <entry.domain.toplevel>



We will run the install on an debian 11 Server. Playbooks don’t need to be on the Server. the can be run from an remote machine. that is the suggested way to do. so no config files with cleartext password will reside on the server. In our example we will run everything on one Server.

the installation is by default configured to run with root. this can be changed.
documented here.

install prerequisites

sudo apt update
sudo apt upgrade
sudo apt install python3 ansible pwgen

Setup root user access with key:

generate key with user root:

$ sudo -i
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/
The key fingerprint is:
SHA256:9dzYvTU5smYvNYsigW+FKpYEiY/cWAc1Ck3w9o5SNBU matrix@VM-e640e2b1-6de2-43ca-926d-700e69ba4604
The key's randomart image is:
+---[RSA 3072]----+
| o+..E.          |
|  ooo .          |
|  .*o     .      |
| .o+o.   . o + ..|
|. *.o.  S . +.o+o|
| +.oo. . o .  oo=|
| . .... o o  +o.o|
|  .  + . + .oo.. |
|    . . . . . .. |

# now we need to add the public key to the authorized_keys file
$ cat /root/.ssh/ >> /root/.ssh/authorized_keys

Now we are able to ssh from root into root with ssh key auth

Clone git repository

$ git clone

make configs

change to git directory

$ cd matrix-docker-ansible-deploy/

make directory for your configs

$ mkdir inventory/host_vars/matrix.<your-domain>

copy example configs to edit

$ cp examples/vars.yml inventory/host_vars /
$ cp examples/hosts inventory/hosts

Now we generate two Passwords. one as the matrix server secret key which is used to encrypt other stuff in matrix. and one as postgres password

We will use pwgen for this

-s -> secure. generates a totally random password (thats what the man page says ;))
64 -> length of password
2 -> how many to generate

# generate matrix and postgres secret
$ pwgen -s 64 2

now we edit the vars.yml config file

# open file for writing
$ vim inventory/host_vars/matrix.<your-domain>/vars.yml

Edit the config as following

# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
# Example value:
matrix_domain: <your-domain>

# The Matrix homeserver software to install.
# See `roles/matrix-base/defaults/main.yml` for valid options.
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: 'L0KYiXz2IYpaWNHQxwSEZLOvGiMTIo7ELRwtKGoyVpuvPXCAC7MXeIbAABr0wR61'

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
# In case SSL renewal fails at some point, you'll also get an email notification there.
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/`).
# Example value: [email protected]
matrix_ssl_lets_encrypt_support_email: '<your-mail-address>'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
matrix_postgres_connection_password: 'vXeNlsnaolAKEramzgXHFfJM8cIo3YTQ4XWreTVhQJSJM1Tqp633CTfZKc7ShNM0'

Now we need to edit the hosts file. so it fits our setup.

vim inventory/hosts

Edit the string to look as following

# We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn.
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
# For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
# to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file.
# If you're running this Ansible playbook on the same server as the one you're installing to,
# consider adding an additional `ansible_connection=local` argument to the host line below.
# Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04).
# You may sometimes need to explicitly add the argument `ansible_python_interpreter=/usr/bin/python3`
# to the host line below.

matrix.<your-domain> ansible_host=<external-ip-address> ansible_ssh_user=root

Now everything is ready for install the the application. The cool thing about ansible is that the playbooks are idempotent and can be run again and again and will only change what was changes

ansible-playbook -i inventory/hosts setup.yml --tags=setup-all

now all the playbooks will run for 5 – 10 minutes and none should show failed at the recap.

PLAY RECAP ******************************************************************************************************************************************************************
matrix.<your-domain>         : ok=221  changed=5    unreachable=0    failed=0    skipped=1696 rescued=0    ignored=0   

Start all services

ansible-playbook -i inventory/hosts setup.yml --tags=start

check the recap. nothiing should fail

PLAY RECAP ******************************************************************************************************************************************************************
matrix.<your-domain>         : ok=22   changed=2    unreachable=0    failed=0    skipped=193  rescued=0    ignored=0

Now the Server is up and running. user registration is by default disabled.

we can access https://element.<your-domain> to verify if everything looks good. Element is the Web Interface for matrix.

now we need to create a user for login

There are two ways to create a user.

You can use ansible or via CLI on the Server

ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-username> password=<your-password> admin=<yes|no>' --tags=register-user


/usr/local/bin/matrix-synapse-register-user <your-username> <your-password> <admin access: 0 or 1>

Now we should be able to login with the user in the element UI.

By default the setup federates with the whole matrix network.

To disable this add the following to inventory/host_vars/matrix./vars.yml

matrix_synapse_federation_enabled: false

To share your public rooms to the whole matrix network add the following to inventory/host_vars/matrix./vars.yml

matrix_synapse_allow_public_rooms_over_federation: true

in either case you have to rerun the install routine

ansible-playbook -i inventory/hosts setup.yml --tags=setup-all

Gratulations. Your own messaging server is now up and running and can be used for messaging in browser and mobile app.

more articles about the other functions will follow.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *